Solved: Powercli and Hardening Guide

Techstarts · ‎06-07-2013

Hi All,

I have almost addressed all security recommendation from a single powershell script but i'm stuck with below two settings.

Disable Managed Object Browser
Establish a password policy for password complexity

Disable managed object browser needs vim-cmd command and while password policy needs to edit etc./pam.d/passwd

I was wondering is there way I can implemented above two settings using powercli.

it means I run single powercli script and then script hardens entire ESXi box.

Thanks,

Preetam

With Great Regards,

LucD · ‎06-07-2013

Afaik there is no PowerCLI cmdlet nor a vSphere method to do that.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

View solution in original post

LucD · ‎06-07-2013

For 2), see William's post called Using vCLI’s vifs For More Than Just Datastore File Management.

If you can, and are willing to, update the /etc/vmware/hostd/webAccessibleConfigFiles.xml file to include the pam file, you could use that method to access the file.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

LucD · ‎06-07-2013

For 1), with a SSH connection, for example through plink.exe, you can run the vim-cmd command, as mentioned in KB1016039, to disable the MOB.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

Techstarts · ‎06-07-2013

But then again I have to use vCLI which means one using more than one script.

Unless there is way we can achieve same thing using powercli which I'm not aware of

Message was edited by: Preetam Zare

With Great Regards,

lakey81 · ‎06-07-2013

Mind sharing your script for the hardening? I was planning on getting around to doing the same thing but haven't done it yet.

LucD · ‎06-07-2013

Afaik there is no PowerCLI cmdlet nor a vSphere method to do that.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

MCioe · ‎06-10-2013

Somewhat related to this. I posted the link below in the ESXi 5.0 board, because I could not get the password complexity to work correctly.

Basically,

I would like to set the password complexity for the new accounts on my ESXi 5.0 (update 2) host to be a minimum of 14 characters, and have at least 1 of each of the following: 1 upper case char, 1 digit, 1 lowercase char, 1 special char and no dictionary words (passphrases).

I updated the /etc/pam.d/passwd file to look like the following (changed the default min=8,8,8,7,6)

password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=disabled,disabled,disabled,disabled,14

I then go up to the VI Client and try to create a user on the host with this new complexity and it will only accept a password with a minimum of 30 characters

I would be curious to hear if your settings worked for you.

Original Post:

http://communities.vmware.com/thread/445165

Techstarts · ‎06-10-2013

Hi Luc,

I was able to do this using plink.exe and sed command.

So my script is ready and under final testing.

Thanks for your assistance.

lakey81 I will definitely share the script, please allow me sometime.

MCioe: Please refer KB: if you've not done so. I might help.

With Great Regards,

MCioe · ‎06-13-2013

TechStarts,

I have looked at that KB and it does not have any additional insight for me. I want to set the password complexity to the following:

minimum of 14 characters,

at least one upper case char,

at least one lowercase char,

at least one numeric char,

at least on special char,

no dictionary words and

at least 4 chars changed between old and new password.

My understanding is that I can update /etc/pam.d/passwd to have this line to accomplish that, but it does not work

password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=disabled,disabled,disabled,disabled,14

When I create a user/password in the VIClient with that complexity, I have to create a password with a minimum of 30 chars.

Am I missing something?

gajuambi · ‎09-09-2015

Hi Checkout my mobdisabler script on github. hope it helps.

vmware/MOBdisabler1.1 at master · gajuambi/vmware · GitHub

---------------------- Gajendra D Ambi [pardon my chat lingo]

gajuambi · ‎09-09-2015

yes true but i found that to be a little lengthy (takes more time) instead you can create a shell script on the host, run the script delete the script via plink+powershell.

vmware/MOBdisabler1.1 at master · gajuambi/vmware · GitHub

---------------------- Gajendra D Ambi [pardon my chat lingo]

gajuambi · ‎10-28-2015

Hi ,

You can use my method to disable the mob

vmware/MOBdisabler1.1 at master · gajuambi/vmware · GitHub

That will disable mob by creating a shell script inside the host and to it.

or

use the following simple method

https://github.com/gajuambi/vmware/blob/master/WINtoESXi

where you have to replace the command1 with whatever command that you want which in this case will be

from

C:\plink.exe -ssh -v -noagent $VMHost -l $user -pw $pass 'command1'

to

C:\plink.exe -ssh -v -noagent $VMHost -l $user -pw $pass 'vim-cmd proxysvc/remove_service "/mob" "httpsWithRedirect"'

I use atleast 1 of these 2 methods everyday

---------------------- Gajendra D Ambi [pardon my chat lingo]